Sophos Central Admin: Sophos Central Engineering will be performing routine maintenance to Sophos Central on Saturday February 1, 2020 starting at 13:00 (UTC). For more info please see KBA 133402.

Errors trying to regenerate certificates (Heartbleed mitigation)

Hi all,

My home UTM is throwing an error when I try regenerate certificates and signing CA under the Remote Access->Certificate Management->Advanced

The Confd reported an error without providing any details. 


Any ideas? FWIW, I was able to reset my WebAdmin cert without any trouble.
  • Ben, Slikone's trick should still work.  It sounds to me like you have something broken in your configuration or in the software or maybe the site-specific-removed backup was faulty.

    I'm confused about what you and William are saying on the issue of certificates.  Normal backups contain CAs and Certificates that will overwrite whatever is in WebAdmin when a normal backup is restored.

    Cheers - Bob
  • In reply to BAlfson:

    Ben, Slikone's trick should still work.  It sounds to me like you have something broken in your configuration or in the software or maybe the site-specific-removed backup was faulty.

    I'm confused about what you and William are saying on the issue of certificates.  Normal backups contain CAs and Certificates that will overwrite whatever is in WebAdmin when a normal backup is restored.

    Cheers - Bob


    Today I made new backups, with and without Unique Site Data removed.

    I did a clean install from a 9.308-16 DVD (mastered at 4x and verified).

    I followed William's instructions, with the exception that during installation, I input the correct info for my setup, instead of "dummy" info (I assumed the "dummy" info was for ease / speed and not due to a conflict with the process).

    However, when I went to restore the backup with Unique Site Data removed, I experienced the same system hang up as before.  Restoring a full backup works fine, even during the normal process of restoring during installation (I tried multiple ways of restoring, including William's method).

    Ok, so it sounds like I may have a corrupt configuration.  I REALLY don't want to re-create all my rules, etc from scratch, except as a total last resort.

    I'm reaching for straws here, but here are a few quick items that I'd like to rule out before starting over from scratch:

    -  Did not using "dummy" data during the initial installation matter?

    -  My internal (LAN) IP address range is not the default 192.x.x.x.

    -  In my WebAdmin Settings, I only have certain computers enabled in "Allowed Networks".  However, the PC that I was using to perform the backup / restore was listed here.  This PC has a static IP address.

    Any suggestions on things to look for that may be causing "corruption", other than a bad data file?

    I'm a home user, so Sophos support isn't an option.

    Thanks,

    - Ben
  • Hi Ben ... I've got a similar issue (at least I think it's similar -- in my case I can't access Webadmin at all). Did you ever figure this out?
  • Unfortunately, no, I wasn't able to get it to work and wound up doing a full, re-install from scratch.

    As a side note, I really can't stress enough the importance of Bob's rule of having a fully resolvable FQDN.  I wound up using "utm.internal" as my FQDN and still get certificate issues with Outlook trusting my certificate, even though I've added my certificate to Window's certificate store a hundred times.  I don't know if I should have used an FQDN such as "mail.utm.internal" or "www.utm.internal" or if it's because "utm.internal" is not an actual registered domain.  In hindsight, I think I probably should have just bought an actual, registered domain from Godaddy, etc for a few bucks a year and could have saved myself a lot of aggravation and had everything work as it should.  If anyone has any quick suggestions on how to fix this, I'd appreciate it.

    Thanks,

    - Ben
  • If you don't need public resolution, you don't need your own domain name. It certainly makes things easier to do and clarifies things for others.

    If you don't want to buy a domain name, you can use one of the free dynamic DNS services (not DynDNS) to get a publicly-resolvable FQDN that you can use as the hostname of your UTM. Don't forget to configure the UTM on the 'DynDNS' tab of 'Network Services >> DNS' to keep your new FQDN updated with your public IP.

    For the best of both worlds, get a domain name and then create a CNAME record for utm.domain.org that refers to your dynamic FQDN.

    Cheers - Bob

  • In reply to THXEngineer:

    Unfortunately, no, I wasn't able to get it to work and wound up doing a full, re-install from scratch.

    As a side note, I really can't stress enough the importance of Bob's rule of having a fully resolvable FQDN.  I wound up using "utm.internal" as my FQDN and still get certificate issues with Outlook trusting my certificate, even though I've added my certificate to Window's certificate store a hundred times.  I don't know if I should have used an FQDN such as "mail.utm.internal" or "www.utm.internal" or if it's because "utm.internal" is not an actual registered domain.  In hindsight, I think I probably should have just bought an actual, registered domain from Godaddy, etc for a few bucks a year and could have saved myself a lot of aggravation and had everything work as it should.  If anyone has any quick suggestions on how to fix this, I'd appreciate it.

    Thanks,

    - Ben


    Ben, did you add it to "Trusted Root" folder? I believe it needs to be in "Trusted Root Certification Authorities" folder. 

    A nice workaround I found in the help documents: your clients behind UTM can download the appropriate certificate if they point their browser to http://passthrough.fw-notify.net/cacert.pem

    That URL is captured by UTM and it serves .PEM file to the user.
  • While an old thread, I ran into this yesterday...

    I experienced the error when I re-did my CA - certificate chain of trust and I removed the old CA, imported the new one, and began removing the old certificates from that CA for users, WebAdmin, etc.  Upon trying to import the newly issued certs, I received the error.

    I'm not sure of the exact cause, but restoring the configuration backup from the previous night fixed the issue.  Random issues like this is why I have it set to take configuration backups daily, as it makes things so much simpler to fix when something starts acting wonky.

    As an FYI for anyone else running into the issue:

    • I do not recommend creating certificates on Sophos, due to the lack of customization to the openssl.cnf and the fact Sophos creates certificates and CAs I don't find secure.  

    • I recommend utilizing openssl on a PC running Windows or a *nix distro, and here is a pre-built openssl config that includes the relevant commands required at the bottom of the config
  • In reply to BAlfson:

    Greetings Bob,

    I know this is an old thread but I thought it might need some updating now that UTM incorporates Let's Encrypt support.

    slickone27 certainly came up with the easiest way but I have a UTM that I worked with Sophos on for months to be able to restore without the site-specific data. It restored fine if you restored a full backup but if you tried to restore without the site-specific data it failed every time. Everything under the sun was tried by me and Sophos. Unfortunately, Sophos was unable to resolve the issue and I finally gave up once they provided a workaround.

    I was able to successfully get new certificates on the UTM by following Step 4 in this knowledge base article on Heartbleed: Recommended steps for UTM : https://community.sophos.com/kb/en-us/120851. It took a while but it worked great and I have never experienced any issues.

    I am now in a situation where I need to regenerate the certificates on that UTM again and I am prepared to follow the steps in the knowledge base article again but with direct support for Let's Encrypt certificates now being part of the UTM I had to wonder if your caveat in Rulz would no longer apply if Let's Encrypt certificates were were used instead of local certificates?

    Curious to know your thoughts.

  • In reply to htguru:

    Hi old friend!

    Well, I'm originally a math guy, so I always look for "elegant" configuration solutions - for easy-to-understand and -maintain setups.  I haven't been using the LetsEncrypt solution, but would consider it for a home setup.  I still would prefer for new certs to be consistent in the configuration.  Did I answer your question or did I misunderstand which caveat you were referring to?

    Cheers - Bob
    PS You have a PM.

  • In reply to BAlfson:

    Bob,

    Upon reading my post I must agree with you that I wasn't clear enough.

    I have been using Let's Encrypt certificates on all UTM's I manage including this troublesome UTM. I can totally see where someone of your caliber would not feel the need for using the Let's Encrypt solution but for myself it has been a huge blessing being able to click a few buttons and say goodbye to self signed certificates on the UTMs I manage. They have all renewed without fail until I was forced to make a change to the clients Internet connection on this one UTM.

    When I had to switch from one IP to 5 IP's I was not only forced to change IP's but hostname due to my own poor planning by naming the host after the ISP's PTR record name. Obviously having the hostname resolvable in reverse DNS is important for email so I thought that the ISPs PTR record for the IP address would be a good solution. 20/20 hindsight has clearly shown me that it was only a good solution so long as the client maintained that IP address and the ISP didn't change the PTR record.

    Due to the above, what I need to do is change the hostname on this UTM. To avoid having to switch the host names in the future I have learned my lesson and will now set hostnames where I control the forward and reverse DNS. Naturally once the hostname is changed it means that certificates need to be regenerated.

    Since this problem UTM will not restore from a backup when the site-specific data is removed slickone27's method will not work as the easy solution to regenerate certificates so I must either start from scratch (not a good option since there's a lot of complexity to this UTM's configuration) or use the method Sophos provided as described in the Heartbleed knowledge base article's step 4.

    I was all prepared to regenerate the certificates using the Heartbleed knowledge base article method but then it occurred to me...With the use of Let's Encrypt for certificates wouldn't it be unnecessary to regenerate all the certificates following the Heartbleed knowledge base article method since those self signed certificates will not be used anyway and will be replaced with Let's Encrypt certificates?

    So since I have been using Let's Encrypt certificates do you suppose it would be possible to simply disable the Let's Encrypt (which deletes all Let's Encrypt related data), change the hostname, and then redo the Let's Encrypt?

    Do you believe that would be sufficient as you say in Rulz "to get CAs, certificates, hostname entries, etc. all aligned?"

    Finally, this brings us to the caveat. What I was referring to is that I've heard you say if you don't get all this stuff aligned you are asking for trouble.

  • In reply to htguru:

    "So since I have been using Let's Encrypt certificates do you suppose it would be possible to simply disable the Let's Encrypt (which deletes all Let's Encrypt related data), change the hostname, and then redo the Let's Encrypt?"

    It sounds like that would work, but were I in your place, I think I would hedge my bet by trying this in a VM first.

    If things aren't "aligned," it's not the end of the world, it's just that there are several details that can slow down solving some problems and complicate other configurations like Remote Access.

    Cheers - Bob